Implement secure mainnet deployment strategy

## Summary

Current deployment setup uses a plain private key in `.env` (`TESTNET_DEPLOYER_PRIVATE_KEY`). This is acceptable for testnets but insufficient for mainnet deployments.

## Current state

- `.env` file with `TESTNET_DEPLOYER_PRIVATE_KEY` — testnets only
- Same key used across Sepolia, Chiado, Base Sepolia
- Key stored as plaintext in local file (gitignored)

## Requirements for mainnet

Evaluate and implement one or more of:

- **Hardware wallet (Ledger/Trezor)** via `@nomicfoundation/hardhat-ledger` — key never leaves device
- **Multisig (Gnosis Safe)** — deployer proposes, multiple signers approve
- **Cloud KMS** (AWS KMS / GCP KMS) — key material stays in HSM
- **Separate env vars** — at minimum, distinct `MAINNET_DEPLOYER_PRIVATE_KEY` to prevent accidental cross-environment use

## Acceptance criteria

- [ ] Mainnet deployment uses a method where private key is not stored as plaintext
- [ ] Clear separation between testnet and mainnet deployment flows
- [ ] Documentation updated with mainnet deployment instructions
- [ ] Deployment checklist for mainnet launches

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Implement secure mainnet deployment strategy #3

Summary

Current state

Requirements for mainnet

Acceptance criteria

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Implement secure mainnet deployment strategy #3

Description

Summary

Current state

Requirements for mainnet

Acceptance criteria

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions